[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-tech
Subject:    Re: pf doesn't rewrite source address for the icmp errors with rdr-to
From:       Mike Belopuhov <mkb () crypt ! org ! ru>
Date:       2011-02-23 11:54:57
Message-ID: 20110223115457.GA3222 () valkyrie ! hq ! vantronix ! net
[Download RAW message or body]

On Thu, Feb 17, 2011 at 14:00 +0100, Mike Belopuhov wrote:
> in the simple setup, like the one described in the pr 6564,
> pf won't rewrite source address for the icmp errors (like
> destination unreachable) when doing rdr-to.
> 
> this diff fixes issue for me and a pr originator.  comments?
> do we want to put it into 4.9?
> 

hi, i'm your friendly reminder that w/o this diff pf will be sending
out untranslated icmp error packets to the interwebs and anything can
happen!  save a kitten, okay a diff!

> Index: pf.c
> ===================================================================
> RCS file: /home/cvs/src/sys/net/pf.c,v
> retrieving revision 1.726
> diff -u -p -r1.726 pf.c
> --- pf.c	14 Feb 2011 11:01:36 -0000	1.726
> +++ pf.c	17 Feb 2011 11:54:53 -0000
> @@ -4498,8 +4498,7 @@ pf_test_state_icmp(struct pf_state **sta
>  				    &nk->addr[pd2.didx], pd2.af) ||
>  				    nk->port[pd2.didx] != th.th_dport)
>  					pf_change_icmp(pd2.dst, &th.th_dport,
> -					    NULL, /* XXX Inbound NAT? */
> -					    &nk->addr[pd2.didx],
> +					    saddr, &nk->addr[pd2.didx],
>  					    nk->port[pd2.didx], NULL,
>  					    pd2.ip_sum, icmpsum,
>  					    pd->ip_sum, 0, pd2.af);
> @@ -4576,8 +4575,7 @@ pf_test_state_icmp(struct pf_state **sta
>  				    &nk->addr[pd2.didx], pd2.af) ||
>  				    nk->port[pd2.didx] != uh.uh_dport)
>  					pf_change_icmp(pd2.dst, &uh.uh_dport,
> -					    NULL, /* XXX Inbound NAT? */
> -					    &nk->addr[pd2.didx],
> +					    saddr, &nk->addr[pd2.didx],
>  					    nk->port[pd2.didx], &uh.uh_sum,
>  					    pd2.ip_sum, icmpsum,
>  					    pd->ip_sum, 1, pd2.af);
> @@ -4653,7 +4651,7 @@ pf_test_state_icmp(struct pf_state **sta
>  
>  				if (PF_ANEQ(pd2.dst,
>  				    &nk->addr[pd2.didx], pd2.af))
> -                                       pf_change_icmp(pd2.dst, NULL, NULL,
> +                                       pf_change_icmp(pd2.dst, NULL, saddr,
>  					    &nk->addr[pd2.didx], 0, NULL,
>  					    pd2.ip_sum, icmpsum,
>  					    pd->ip_sum, 0, AF_INET);
> @@ -4728,7 +4726,7 @@ pf_test_state_icmp(struct pf_state **sta
>  
>  				if (PF_ANEQ(pd2.dst,
>  				    &nk->addr[pd2.didx], pd2.af))
> -					pf_change_icmp(pd2.dst, NULL, NULL,
> +					pf_change_icmp(pd2.dst, NULL, saddr,
>  					    &nk->addr[pd2.didx], 0, NULL,
>  					    pd2.ip_sum, icmpsum,
>  					    pd->ip_sum, 0, AF_INET6);
> @@ -4774,8 +4772,7 @@ pf_test_state_icmp(struct pf_state **sta
>  
>  				if (PF_ANEQ(pd2.dst,
>  				    &nk->addr[pd2.didx], pd2.af))
> -					pf_change_icmp(pd2.src, NULL,
> -					    NULL, /* XXX Inbound NAT? */
> +					pf_change_icmp(pd2.dst, NULL, saddr,
>  					    &nk->addr[pd2.didx], 0, NULL,
>  					    pd2.ip_sum, icmpsum,
>  					    pd->ip_sum, 0, pd2.af);

[prev in list] [next in list] [prev in thread] [next in thread]